CVE-2013-4458

Published: Dec 12, 2013Modified: Apr 29, 2026

5.0

Vector

AV:N/AC:L/Au:N/C:N/I:N/A:P

Exploitability: 10.0 / Impact: 2.9

Source: NVD

Description

Stack-based buffer overflow in the getaddrinfo function in sysdeps/posix/getaddrinfo.c in GNU C Library (aka glibc or libc6) 2.18 and earlier allows remote attackers to cause a denial of service (crash) via a (1) hostname or (2) IP address that triggers a large number of AF_INET6 address results. NOTE: this vulnerability exists because of an incomplete fix for CVE-2013-1914.

Affected (29)

Products: Gnu: Glibc · Suse: Linux Enterprise Debuginfo, Linux Enterprise Server

1 product

2 products

Linux Enterprise Debuginfo

Linux Enterprise Server

Configuration A

27 vulnerable

Vulnerable Software	Affected Versions
Gnu Glibc	Up to 2.18
Gnu Glibc	Version 2.0.1
Gnu Glibc	Version 2.0.2
Gnu Glibc	Version 2.0.3
Gnu Glibc	Version 2.0.4
Gnu Glibc	Version 2.0.5
Gnu Glibc	Version 2.0.6
Gnu Glibc	Version 2.0
Gnu Glibc	Version 2.1.1.6
Gnu Glibc	Version 2.1.1
Gnu Glibc	Version 2.1.2
Gnu Glibc	Version 2.1.3
Gnu Glibc	Version 2.1.9
Gnu Glibc	Version 2.10.1
Gnu Glibc	Version 2.11.1
Gnu Glibc	Version 2.11.2
Gnu Glibc	Version 2.11.3
Gnu Glibc	Version 2.11
Gnu Glibc	Version 2.12.1
Gnu Glibc	Version 2.12.2
Gnu Glibc	Version 2.13
Gnu Glibc	Version 2.14.1
Gnu Glibc	Version 2.14
Gnu Glibc	Version 2.15
Gnu Glibc	Version 2.16
Gnu Glibc	Version 2.17
Gnu Glibc	Version 2.1

Configuration B

2 vulnerable

Vulnerable Software	Affected Versions
Suse Linux Enterprise Debuginfo	Version 11 sp2
Suse Linux Enterprise Server	Version 11 sp2

Related CWEs

Improper Restriction of Operations within the Bounds of a Memory Buffer

The product performs operations on a memory buffer, but it reads from or writes to a memory location outside the buffer's intended boundary. This may result in read or write operations on unexpected memory locations that could be linked to other variables, data structures, or internal program data.

References (12)

http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2013:283

Source: secalert@redhat.com

http://www.mandriva.com/security/advisories?name=MDVSA-2013:284

Source: secalert@redhat.com

https://security.gentoo.org/glsa/201503-04

Source: secalert@redhat.com

https://sourceware.org/bugzilla/show_bug.cgi?id=16072

Source: secalert@redhat.com

Exploit

https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html

Source: secalert@redhat.com

Patch

http://lists.opensuse.org/opensuse-security-announce/2016-02/msg00036.html

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mandriva.com/security/advisories?name=MDVSA-2013:283

Source: af854a3a-2127-422b-91ae-364da2661108

http://www.mandriva.com/security/advisories?name=MDVSA-2013:284

Source: af854a3a-2127-422b-91ae-364da2661108

https://security.gentoo.org/glsa/201503-04

Source: af854a3a-2127-422b-91ae-364da2661108

https://sourceware.org/bugzilla/show_bug.cgi?id=16072

Source: af854a3a-2127-422b-91ae-364da2661108

Exploit

https://sourceware.org/ml/libc-alpha/2013-10/msg00733.html

Source: af854a3a-2127-422b-91ae-364da2661108

Patch

Timeline

No history available yet.